News Profile Code Photography Looking Glass Projects System Statistics Uncategorized
Present Location: News >> Blog >> libpcap Expression to Filter IPv6 Router Advertisements

Blog
> libpcap Expression to Filter IPv6 Router Advertisements
Posted by prox, from Charlotte, on January 25, 2009 at 15:51 local (server) time

So I was hanging in #IPv6 on freenode, today…

15:18 < jakllsch> anyone know tcpdump magic to display only router adverts?

That's simple, I figured:

ip6 and icmp6 and 'icmp6[icmptype] == 134'

According to the ICMPv6 type numbers, router advertisements are type 134.  But the expression doesn't work!  libpcap 0.9.8 in Debian doesn't seem to support this:

IPv6 upper-layer protocol is not supported by proto[x]

So, knowing that the IPv6 header is 40 bytes long, and that the type is the first byte in the ICMPv6 header, the solution is simple:

ip6 and icmp6 and 'ip6[40] = 134'

As an example:

% tcpdump -r hi.cap ip6 and icmp6 and 'ip6[40] = 134'
reading from file hi.cap, link-type EN10MB (Ethernet)
15:38:00.167264 IP6 fe80::204:23ff:fe5f:4cd8 > ip6-allnodes: ICMP6, router advertisement, length 56
15:38:05.348160 IP6 fe80::204:23ff:fe5f:4cd8 > ip6-allnodes: ICMP6, router advertisement, length 56

Cool, huh?  I'm sure I made your day.

> Add Comment

New comments are currently disabled for this entry.

XHTML 1.0 ValidCSS ValidRSS 2.0Powered by FreeBSDIPv4 This HTML for this page was generated in 0.001 seconds.